"We will see catastrophic outages," PG&E Chief Information Security Officer James Sample warned state regulators at a recent forum, though not specifically referring to his company. "We are dealing with a very intelligent adversary."

The threat is regarded by U.S. officials and others as among the most worrisome the nation faces. A cyberattack could so severely damage a utility that millions of people might be left without power for months, experts say, shutting down water and transportation systems, threatening the sick and elderly, and causing billions of dollars in damage.

The California Public Utilities Commission warned in a recent report that utilities are becoming increasingly vulnerable as their networks add smart meters and other computerized gear.
(Karen T. Borchers/Staff file)

"How many days could hospitals operate with on-site electricity generation?" asked Rep. Cliff Stearns, R-Fla., during a congressional hearing he led last year into the cyberthreat faced by power grids. "How would metro rail systems operate, if at all? How would we recharge our smartphones or access the Internet?"

Late last year, a branch of the U.S. Department of Homeland Security reported seeing hackers infiltrating "oil and natural gas pipelines and electric power organizations at an alarming rate." While providing only sketchy details, the agency said it knew of 198 such "cyber-incidents" just last year. Of those, 41 percent involved energy companies -- including six "in the nuclear sector" -- and 15 percent were aimed at water-related firms.

Advertisement

Yet despite years of prodding, security specialists contend, many utility companies have done little to defend their operations.

"They just want to kind of pretend the problem doesn't exist," said Dale Peterson, CEO of Digital Bond, which assesses security at utilities and other firms. "So it might take some really tragic thing with some huge disruption of peoples' lives before something gets done."

Hoping to minimize that possibility, the California Public Utilities Commission is considering rules to bolster cybersecurity protections. The agency, which held the forum Sample attended, warned in a recent report that utilities are becoming increasingly vulnerable as their networks add smart meters and other computerized gear.

But while federal rules require certain facilities and power lines to be protected from hackers, most are not. The CPUC's study said, "80-90 percent or more of the electric infrastructure currently does not fall under any required standards and cybersecurity practices of the utilities are not monitored."

The report added that utilities often are reluctant to say they've been hacked, fearing the disclosure might expose them to liability. Then again, many of them might not even know they were attacked, according to Joseph Weiss, a security expert with Applied Control Solutions in Cupertino, because "very, very few have monitoring on the control system networks."

In February, hackers shut down the website and online payment systems of an electric, water and sewer utility in Jacksonville, Fla. In an incident last year, an unnamed power plant was hit by a computer virus that prevented it from restarting for several weeks, according to the Department of Homeland Security. The federal agency also reported "an active series of cyber-intrusions targeting natural gas pipeline sector companies," but provided few other details on the incidents.

In a separate attack in September, Canada's Telvent, now Schneider Electric, whose software helps manage power grids and gas pipelines, revealed without elaborating that hackers -- later alleged to be from China -- had broken into its computers and "affected some customer files."

Among other noted attacks, security firm McAfee disclosed in 2011 that several oil, gas and petrochemical companies had been hacked in ways that could let an outsider "completely control the affected system." And in 2010, Iran revealed that its nuclear facilities were disrupted by malicious code, widely believed to have been developed by the U.S. and Israel.

Evidence suggests many other utilities are vulnerable.

In August, the Nuclear Regulatory Commission faulted Southern California Edison for lacking proper procedures to protect "sensitive security equipment at San Onofre nuclear plant from hackers and other cybersecurity threats," according to the CPUC's report.

Even many of those employed to protect such equipment are worried, recent surveys have found.

When San Francisco risk-management company nCircle asked 104 energy security professionals if their smart meter installations had sufficient protections against hackers fouling up the system with false data, 61 percent said no. Security experts are concerned that someone hacking into smart meters could possibly steal personal information, turn off the power to individual homes and businesses, and conceivably disrupt power to many more people by accessing other equipment through the meters.

But upgrading utility security wouldn't be cheap. Cost estimates for needed improvements over the next few years range upward of $14 billion. Meanwhile, hackers can launch their assaults for next to nothing.

All it would take to cause havoc is a $60 smartphone application, which an attacker could use to wirelessly communicate with one of the key computerized systems that utilities depend on to control their operations, according to a study by security firm Pike Research.

Currently, "many attacks simply cannot be defended," it concluded. "Utility cybersecurity is in a state of near chaos."